Select Application Controls Review of the Federal Bureau of Prisons's Sentry Database System

Report No. 03-25
July 2003
Office of the Inspector General

Appendix I

OBJECTIVES, SCOPE, AND METHODOLOGY

Our audit objectives were to review the application controls for the BOP's SENTRY database and determine whether inmate data entered in SENTRY are valid, properly authorized, and completely and accurately processed.19 In order to meet these objectives, we tested SENTRY application controls using the GAO's FISCAM, which divides the testing of application controls into four major areas: authorization controls (input), completeness controls (processing), accuracy controls (output), and controls over integrity of processing and data files.

For testing of SENTRY's application controls, we judgmentally selected 3 of the 29 CCOs to conduct onsite reviews of their operational workflow - Annapolis Junction, Maryland; Philadelphia, Pennsylvania; and Chicago, Illinois. These CCOs were judgmentally selected because they process large volumes of inmate data into SENTRY.

Furthermore, we performed reviews of source documents at the three CCO offices to test input, process, output, and data integrity controls. In addition to the testing performed at the selected CCOs, we interviewed approximately 40 BOP officials. These interviews included the BOP managers and officials from the Computer Services Administration, Mainframe Systems Support, Systems Development Branch, Policy and Information Resource Management, Office of Information Systems, and Community Corrections. Additionally, we reviewed application, operation, and end-user manuals; the BOP's and Department information technology management policy and procedures; the BOP's project management guidance; the BOP's organizational structures and federal court cases; and prior GAO and OIG reports specific to SENTRY.

Findings identified at the time of fieldwork were communicated to the BOP to initiate corrective action. All audit work was performed in accordance with Government Auditing Standards and were based on the GAO's FISCAM, the BOP's Standard Operating Procedures, and federal laws and regulations governing inmate processing within the BOP facilities.

Footnotes

Although we performed an application controls review of SENTRY, this audit report does not include an evaluation of SENTRY's general controls. As part of our testing of the BOP's Annual Financial Statement for fiscal year 2002, we conducted a general control review of SENTRY's operating environment. That general control review identified weaknesses in the area of system development/change control, which represents one of the six FISCAM general control areas.